Security has to be credible and not the department that always says no to things. That is according to a report by US-based chief security officers (CSOs).
CEOs are expecting more from their security functions. A change stems from the September 11, 2001 terror attacks on New York and Washington, the report suggests. The security function’s role since 9-11 is now, more than ever, a business one. The security department is described in the report as integral to business growth and to meeting critical business challenges. Enlightened business leaders recognise the value of the security function as fundamental to a business. No longer an after-thought, security has become a core function, it is claimed, embedded in other departments such as finance, law, human resources, quality, the supply chain, marketing, and operations.
Having evolved rapidly into a value-added function, security is, and will continue to be, a critical strategic player. It’s not just about security, but, rather, business and security, with CSOs acting as partners across functions and business units at the early planning and budgeting stages to identify risk, and keep an eye on costs. It’s not all plain sailing for the CSO, though. The report authors acknowledge that those at the top of a company, including the CSO, have to change any lingering perceptions that security is an imposition, rather than an essential to how you do business.
As new generations make their mark in the workplace, the traditional notion of a security professional continues to be challenged. Even given the positive changes recently, senior management must ensure that security executives do not revert to ‘what was’, but
focus on “what is”. In a word, the report suggests, a chief security officer ought to be well-connected, reaching across departments, to gain a holistic view of what the business is about. This report is based on discussion and presentations during meetings in 2012 of the US-based Conference Board Council of Corporate Security Executives, which features American household names such as The Walt Disney Company, Microsoft and PepsiCo; the International Security Management Association; and the CSO Roundtable of security management body ASIS International.
From September to December 2011, chief executives were asked to rank order the top three challenges they anticipate their companies would face in the coming year. Of the 776 responses, 158 were from Europe. The European chief execs rated challenges this way: 1) Global political/economic risk. 2) Innovation. 3) Government regulation (which was number one in the United States). Next came global expansion and costs (or ‘cost optimisation’, as it was put). The report authors suggested that with globalisation comes more scrutiny of the corporate operating environment, sheer flow of information, and a demand for transparency across new markets. As a result, to be effective and relevant, heads of security must develop their business acumen and risk management. To go into more detail, by Government regulation the report authors mean that the security person should keep his employer abreast of everything from laws on espionage to counterfeiting. Government oversight and regulation is growing everywhere, the authors suggest. The ability to influence policy in countries is stressed by the report. The report gives the example of corruption – a risk for any company; but each country comes with different laws for a company to comply with – such as the Foreign Corrupt Practices Act in the United States, and in the UK Bribery Act. In other fields, the law is evolving and needs to be tracked, as with the UK Corporate Manslaughter and Corporate Homicide Act, that makes directors liable for shortcomings that lead to worker deaths, whether to do with safety or security. According to the report, security should be a partner with the legal, compliance, and risk management functions to identify risk and let employees know of the legal and cultural pitfalls of doing business in different cultures, especially in emerging markets.
The report points particularly to developing markets, where multinationals can have influence on the formulation of security-related issues, such as the
enforcement of intellectual property rights. And as for risk, every business, regardless of location or industry, has risks to deal with, and not only the big-picture strategic mergers and acquisitions that need due diligence, but the day-to-day financial, transactional, and operational risks, whether those require physical assessments, integrity checks, compliance, and a judgement on how a risk might affect the company’s ethics, and reputation. The security function plays a critical role in identifying and mitigating risks that might be overlooked or undervalued, it is suggested. For instance, the business-savvy CSO can warn of false economies – if the firm seeks to cut costs by going with a cheaper supply chain contractor, that may add risks and raise insurance or other costs.
Human capital
Putting the risks another way, the CSO has to think in terms of human capital. Careless or malicious behaviour by employee, whether out of ignorance about foreign laws and cultures or outright crime and violations of ethics, are many corporations’ greatest potential weakness, the report authors say. The report speaks of security being involved from ‘cradle to grave’, where the work can be as varied as a pre-hire or other investigation; preparing employees to travel safely to unfamiliar destinations; or the evacuation of employees due to a human or natural disaster.
To download this publication free, visit www.conferenceboard.org. For more details visit www.asisonline.org, www.csoroundtable.org or isma.com. For instance, fraud, brand protection and aviation and cargo security were topics at a November ‘CSO Roundtable’ run by ASIS, in Istanbul.
In brief
During Hurricane Sandy in the United States, Control Risks Chief Executive Richard Fenning spoke on the BBC Radio 4 Today programme on October 30. As he began by saying, you cannot control the weather, but to some extent you can control your reactions to it. He said: “The resilience of companies is far stronger than it used to be.” Because of social media, staff can work without needing the company headquarters so much. And after 9-11, New York companies have disaster recovery and business continuity plans that they did not have before the terror attack.
For a interview about Hurricane Sandy on Business Daily on the BBC World Service, visit the Control Risks website –
http://controlrisks.podbean.com/2012/10/30/hurricane-sandy-business-continuity-implications/
Berlin is the venue for this year’s Chief Security Officer (CSO) Summit by MIS Training from December 12 to 14, after last year’s in London. UK speakers include Crawford Robinson, of British American Tobacco group security; consultant David Burrill, former BAT chief security man; Guy Mathias, who chairs the UK Pharmaceutical Industry Security Forum; Mike Morwood, security director UK and Europe for Cemex; and Rick McConnell, CSO at Euroclear SA/NV. Chairing the event is Simon Scales, fraud and misconduct investigations man at BP. Topics include kidnap and ransom; scenario planning for shock attacks on cities, taken by consultant Dr Sally Leivesley; and security officer training.
Fred Miller is among speakers at a five-day anti-corruption course in Prague in December for judges and prosecutors to investigate and prosecute cases of official corruption. An accountant, Senior Partner at PwC, he is Global Co-Leader of PwC’s anti-bribery and anti-corruption practice. Visit ceeliinstitute.org.
